Date: Mon, 26 Apr 2004 20:24:19 -0500 From: Mark Johnston <mjohnston@skyweb.ca> To: current@freebsd.org Subject: cvs-src summary for 18/04/04 - 26/04/04 Message-ID: <200404262024.19791.mjohnston@skyweb.ca>
next in thread | raw e-mail | index | archive | help
Here's the first Monday summary - for those who didn't get the first post, I've switched to producing the summaries Monday evenings. FreeBSD cvs-src summary for 18/04/04 to 26/04/04 ++++++++++++++++++++++++++++++++++++++++++++++++ This is a regular weekly summary of FreeBSD's cutting-edge development. It is intended to help the FreeBSD community keep up with the fast-paced work going on in FreeBSD-CURRENT by distilling the deluge of data from the CVS mailing list into a (hopefully) easy-to-read newsletter. This newsletter is marked up in reStructuredText_, so any odd punctuation that you see is likely intended for the reST parser. .. _reStructuredText: http://docutils.sourceforge.net/rst.html You can get old summaries, and an HTML version of this one, at http://www.xl0.org/FreeBSD/. Please send any comments to Mark Johnston (mark at xl0.org). For Lukasz Dudek and Szymon Roczniak's Polish translations of these summaries, which may lag the English ones slightly, please see http://mocart.pinco.pl/FreeBSD/. .. contents:: ============ New features ============ TCP security and reliability improvements ----------------------------------------- Mike Silbersack (silby) enhanced the generation of new TCP sequence numbers for very fast (gigabit plus) networks, correcting a problem where the second connection in a few milliseconds from the same host and port could fail. He also added OpenBSD's code for allocating temporary port numbers randomly instead of sequentially, making attacks against TCP more difficult. This random allocation code can be turned off with the sysctl net.inet.ip.portrange.randomized. It has also been MFC'ed. http://www.freebsd.org/cgi/mid.cgi?200404200633.i3K6XdXn067858 http://www.freebsd.org/cgi/mid.cgi?200404200645.i3K6JAJE070009 MFC: http://www.freebsd.org/cgi/mid.cgi?200404232331.ii3NNVsXV094917 OpenSSH 3.8.1p1 imported ------------------------ Dag-Erling Smorgrav (des) imported OpenSSH 3.8.1p1, replacing the old 3.8p1. 3.8.1 fixes many minor bugs with the portable version of OpenSSH, as well as a potential crash in PAM and the accidental clearing of the TZ environment variable. For details, please see the `release announcement`_ or `changelog`_. .. _`release announcement`: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108238148508920&w=2 .. _`changelog`: ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog http://www.freebsd.org/cgi/mid.cgi?200404200935.i3K9Zeie019336 Asus ACPI extras driver added ----------------------------- Philip Paeps (philip) added a driver called acpi_asus that provides support for ACPI-controlled features like hotkeys and LCDs on Asus laptops. Philip is planning to track the similar acpi4asus_ Linux project closely to keep this functionality up to date. .. _acpi4asus: http://sourceforge.net/projects/acpi4asus/ http://www.freebsd.org/cgi/mid.cgi?200404222129.i3MLT2tt026967 ipfw versrcreach (verify source reachability) option added ---------------------------------------------------------- Andre Oppermann (andre) added an option to ipfw called versrcreach that verifies that a valid route to the source of a packet exists in the routing table. The new option is used as follows: ipfw add 1000 deny ip from any to any not versrcreach This is similar to the option "ip verify unicast source reachable-via any" on Cisco routers. Note that versrcreach ignores the default route, so if you use it on machines that don't do BGP routing (like desktops or servers,) you will likely deny all traffic. With this change, ipfw will need to be recompiled. http://www.freebsd.org/cgi/mid.cgi?200404231427.i3NERR34063763 Raw socket support inside jails ------------------------------- Bosko Milekic (bmilekic) committed a modified version of a patch by Christian S. J. Peron that adds a sysctl, security.jail.allow_raw_sockets, to control raw socket access inside jails. When the sysctl is turned on, ping and traceroute will work inside jails; however, jailed processes will be able to spoof their IP address on outgoing packets. Christian's patch was submitted in `PR 65800`_. .. _`PR 65800`: http://www.freebsd.org/cgi/query-pr.cgi?pr=65800 http://www.freebsd.org/cgi/mid.cgi?200404261946.i3QJkqTK090160 Israel Hebrew locale added -------------------------- Tim J. Robbins (tjr) added an Israel/Hebrew locale, named he_IL.UTF-8. The patch was submitted by Hye-Shik Chang in `PR 65826`_. .. _`PR 65826`: http://www.freebsd.org/cgi/query-pr.cgi?pr=65826 http://www.freebsd.org/cgi/mid.cgi?200404211528.i3LFSNro088446 Per-interface polling control and vr polling MFC'ed --------------------------------------------------- Ruslan Ermilov (ru) merged his per-interface polling support code to 4.x, along with polling support for the vr (Via Rhine) interface. Polling can be controlled with the ifconfig option named "polling". This code will not be in 4.10. http://www.freebsd.org/cgi/mid.cgi?200404222203.i3MM3S63036235 =============== Notable changes =============== Change to callout ABI requires kernel module rebuild ---------------------------------------------------- Colin Percival (cperciva) removed binary compatibility for the callout_stop function, which cancels a pending delayed function call. Because of this change, you will need to recompile all your kernel modules next time you rebuild your kernel. The change is also documented in UPDATING. http://www.freebsd.org/cgi/mid.cgi?200404201549.i3KFnVCh015979 ================= Discussion topics ================= BGP routing implementation under discussion ------------------------------------------- Luigi Rizzo (luigi) made a number of readability fixes to the routing code, adding comments and macros. Darren Reed (darrenr) objected that the changes were adding gratuitous differences, making it hard to compare the FreeBSD code to other versions. Colin Percival (cperciva) explained that the changes were to make proper locking easier to add. Darren asked why the variable name changes and macros were needed to make locking easier; Dag-Erling Smorgrav (des) and Max Laier (mlaier) both pointed out that making the code easier to understand makes it easier to add locking. Darren argued that the code is hard to read not because of the variable names, but because of the complexity of the work it does, and suggested that reading W. Richard Stevens's `TCP/IP Illustrated`_ would be more helpful to understanding the code than the changes Luigi was making. Brian Feldman (green) and Bruce M. Simpson (bms) both noted that Stevens's book was significantly out of date vs. the current code. Luigi explained that the part he plans to work on is the undocumented one. Luigi also mentioned that the current routing structure is big and slow, and in need of optimization. Darren noted that Cisco routers use 320 bytes per entry, also giving a link to `BGP reports`_. Andre Oppermann (andre) mentioned that he had designed a data representation for OpenBSD's bgpd that uses 234 bytes per prefix with a few bytes for each extra path; this is as good or better than Cisco IOS; he also said that the kernel's routing base could be made as small as 1 MB to fit in the CPU's cache. Alexey Dokuchaev (danfe) asked why bgpd was imported into OpenBSD and not FreeBSD; Andre said that the code works on FreeBSD and that a port was in the works, but that he didn't think bgpd belonged in the base system. .. _`BGP reports`: http://bgp.potaroo.net/index-bgp.html .. _`TCP/IP Illustrated`: http://www.kohala.com/start/tcpipiv2.html http://www.freebsd.org/cgi/mid.cgi?200404211527.i3LFRabS088245 ================= Committer changes ================= Marcel Moolenaar (marcel) noted that Marius is no longer under mentorship. http://www.freebsd.org/cgi/mid.cgi?200404252004.i3PK40md051136 =================== Important bug fixes =================== TCP reset handling improved --------------------------- Mike Silbersack (silby) modified the handling of TCP reset packets using an idea from Darren Reed (darrenr). The goal was to make the `TCP reset attack`_ recently announced as difficult as possible while maintaining compatibility with as many TCP stacks as possible. The new code accepts only reset packets that match the expected sequence number exactly on established connections. He also added a field to netstat that counts the number of resets ignored under these rules. .. _`TCP reset attack`: http://www.uniras.gov.uk/vuls/2004/236929/tcp.htm http://www.freebsd.org/cgi/mid.cgi?200404260256.i3Q2uV18048208 Unintended read access to memory-resident files eliminated ---------------------------------------------------------- Alan Cox (alc) committed a patch to the mmap memory-mapped file handling code to fix an issue where pages marked as PROT_NONE (inaccessible) could become readable. This problem was discovered by Mark W. Krentel and submitted in `PR 64573`_. .. _`PR 64573`: http://www.freebsd.org/cgi/query-pr.cgi?pr=64573 http://www.freebsd.org/cgi/mid.cgi?200404240346.i3O3kipl055272 =============== Other bug fixes =============== Darren Reed (darrenr) fixed a bug in the rc.d code that made ipmon exit immediately when configured to start on bootup. http://www.freebsd.org/cgi/mid.cgi?200404201330.i3KDUnkF077694
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404262024.19791.mjohnston>